Add sensible defaults to the OSV evaluator to allow running without any configuration

[jhrozek]

Summary

Configuring the OSV evaluator is a bit of a PITA, but at the same time,
the configuration is normally not really needed for public projects as
they would all use the same OSV instance and the same package databases.

Let's just hardcode sensible defaults so that profiles can be leaner and
UIs don't have to ask users to input all this data.

Change Type

Mark the type of change your PR introduces:

• Bug fix (resolves an issue without affecting existing features)
• Feature (adds new functionality without breaking changes)
• Breaking change (may impact existing functionalities or require documentation updates)
• Documentation (updates or additions to documentation)
• Refactoring or test improvements (no bug fixes or new functionality)

Testing

Create a very minimal profile:

# sample profile for validating artifact signatures
version: v1
type: profile
name: acme-github-profile-pr-vuln-check
context:
  provider: github
  pull_request:
    - type: pr_vulnerability_check
        def: {}

Review Checklist:

• Reviewed my own code for quality and clarity.
• Added comments to complex or tricky code sections.
• Updated any affected documentation.
• Included tests that validate the fix or feature.
• Checked that related changes are merged.

[coveralls]

coverage: 48.089% (-0.08%) from 48.168%
when pulling 8c51e13 on jhrozek:osv_defaults
into 6e21fc0 on stacklok:main.